capistrano-unicorn-nginx 4.2.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8f0337593e08e19cab15ce29f6ccb7455e37df5e
4
- data.tar.gz: 8eba038b8b6e113d3e8be52f8838c14e3232fea4
3
+ metadata.gz: 0fa877d749e83b2c34f3b32afe592b02e64c5e2a
4
+ data.tar.gz: 548a8d063c482223211352b23f9448abc49346c8
5
5
  SHA512:
6
- metadata.gz: 207b3ae7e01925fb55b881e18188b4c8c8b939cf874d2c1b6f2228c1957f975d97d95a926e637e10bcf2b563c804492b507f5dc9691c7ac5ebfd647b61c2d636
7
- data.tar.gz: b801c70fc857c355b81444fbac9e5206719444107acf0aa0840a1bc68bd00f011c40e86885241e5b0660bc856c00f653cd84ce32d6ae87ef22063452e0c008d1
6
+ metadata.gz: 5b74ee7655764aa5b1b377fd780d62c6e08ad9a4f3b21cd1c224a81b64d114aaeaaf58c490e09fda1faca0de4f7727a55d5af2eda137449c1e147ab8b226bb19
7
+ data.tar.gz: e05853236f43bb5d13b33604f5cffc6b8dfc31af551ecc1e4c18cbb9b7d4071428cb0a9757bf8fd45487594b298af1c4eadfc2b83fdc1d002e25adbcf9143ae4
@@ -2,6 +2,11 @@
2
2
 
3
3
  ### master
4
4
 
5
+ ### v5.0.0, 2018-02-08
6
+ - Remove `nginx_pass_ssl_client_cert` in favor of nginx_use_client_ssl
7
+ - Add `nginx_server_ssl_ports` to specify which ports nginx should listen on
8
+ - Remove `nginx_use_spdy`. Use `nginx_use_http2` instead.
9
+
5
10
  ### v4.2.0, 2018-02-08
6
11
  - Add support for client authentication using a root CA. Inspired by
7
12
  http://www.pandurang-waghulde.com/2014/06/client-side-ssl-certificate.html
@@ -14,10 +14,19 @@ namespace :load do
14
14
  # ssl options
15
15
  set :nginx_location, '/etc/nginx'
16
16
  set :nginx_use_ssl, false
17
- set :nginx_use_spdy, false
18
17
  set :nginx_use_http2, false
19
- # if true, passes the SSL client certificate to the application server for consumption in Ruby code
20
- set :nginx_pass_ssl_client_cert, false
18
+ # if true, verifies the client certificate, and passes a number of variables
19
+ # in the header to the application server consumption in Ruby code. These
20
+ # are:
21
+ # - X-Client-DN: the Distinguished Name of the certificate
22
+ # - X-Client-Serial: the Serial Number of the certificate
23
+ # - X-Client-Verify:
24
+ # - SUCCESS if a certificate was supplied that was signed by the CA.
25
+ # - FAILED if a certificate was supplied that was not signed by the CA.
26
+ # - NONE if no certificate was supplied
27
+ # - X-Client-Raw-Cert: the raw (PEM) version of the supplied certificate
28
+ set :nginx_use_client_ssl, false
29
+ set :nginx_ssl_client_ca, '' # the location of the root CA (on server)
21
30
  set :nginx_ssl_cert, -> { nginx_default_ssl_cert_file_name }
22
31
  set :nginx_ssl_cert_key, -> { nginx_default_ssl_cert_key_file_name }
23
32
  set :nginx_ssl_cert_path, -> { nginx_default_ssl_cert_file_path }
@@ -33,11 +42,11 @@ namespace :load do
33
42
  end
34
43
 
35
44
  namespace :nginx do
36
-
37
45
  task :defaults do
38
46
  on roles :web do
39
47
  set :nginx_server_name, fetch(:nginx_server_name, host.to_s)
40
48
  set :nginx_server_port, fetch(:nginx_server_port, 80)
49
+ set :nginx_server_ssl_ports, fetch(:nginx_server_ssl_ports, [443])
41
50
  end
42
51
  end
43
52
 
@@ -1,5 +1,5 @@
1
1
  module Capistrano
2
2
  module UnicornNginx
3
- VERSION = '4.2.0'.freeze
3
+ VERSION = '5.0.0'.freeze
4
4
  end
5
5
  end
@@ -1,24 +1,14 @@
1
- <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
2
- # source: http://forum.nginx.org/read.php?2,236546,236596
3
- map $ssl_client_raw_cert $a {
4
- "~^(-.*-\n)(?<1st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $1st;
5
- }
6
- <% end -%>
7
-
8
1
  server {
9
2
  <% if fetch(:nginx_use_ssl) -%>
10
- <% if fetch(:nginx_use_http2) -%>
11
- listen <%= ssl_port %> http2;
12
- <% elsif fetch(:nginx_use_spdy) -%>
13
- listen <%= ssl_port %> spdy;
14
- <% else -%>
15
- listen <%= ssl_port %>;
3
+ <% fetch(:nginx_server_ssl_ports).each do |port| -%>
4
+ listen <%= port %> <%= 'http2' if fetch(:nginx_use_http2)-%>;
16
5
  <% end -%>
17
6
  ssl on;
18
7
  ssl_certificate <%= nginx_ssl_cert_file %>;
19
8
  ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
20
9
  <% if fetch(:nginx_use_client_ssl) -%>
21
10
  ssl_trusted_certificate <%= nginx_ssl_client_ca %>;
11
+ ssl_verify_client optional_no_ca;
22
12
  <% end -%>
23
13
 
24
14
  ssl_session_cache shared:SSL:10m;
@@ -38,10 +28,6 @@ server {
38
28
 
39
29
  add_header X-Content-Type-Options nosniff;
40
30
 
41
- <% if fetch(:nginx_use_ssl) && (nginx_pass_ssl_client_cert || fetch(:nginx_use_client_ssl)) -%>
42
- ssl_verify_client optional_no_ca;
43
- <% end -%>
44
-
45
31
  client_max_body_size 4G;
46
32
  keepalive_timeout 10;
47
33
 
@@ -66,11 +52,7 @@ server {
66
52
  proxy_set_header X-Client-Dn $ssl_client_s_dn;
67
53
  proxy_set_header X-Client-Serial $ssl_client_serial;
68
54
  proxy_set_header X-Client-Verify $ssl_client_verify;
69
- <% end -%>
70
-
71
- <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
72
- # source: http://forum.nginx.org/read.php?2,236546,236596
73
- proxy_set_header X-Client-Cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;
55
+ proxy_set_header X-Client-Raw-Cert $ssl_client_raw_cert;
74
56
  <% end -%>
75
57
 
76
58
  proxy_pass http://unicorn_<%= fetch(:nginx_config_name) %>;
@@ -16,10 +16,4 @@ server {
16
16
  }
17
17
  <% end -%>
18
18
 
19
- <%# render the default server directive. If SSL is enabled, port 443 is used %>
20
- <%= template_to_s("_default_server_directive.erb", ssl_port: 443, nginx_pass_ssl_client_cert: false).to_s %>
21
-
22
- <% if fetch(:nginx_pass_ssl_client_cert) -%>
23
- <%# render the server directive with SSL client certificate authentication enabled on port 444 %>
24
- <%= template_to_s("_default_server_directive.erb", ssl_port: 444, nginx_pass_ssl_client_cert: true).to_s %>
25
- <% end -%>
19
+ <%= template_to_s("_default_server_directive.erb").to_s %>
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: capistrano-unicorn-nginx
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.2.0
4
+ version: 5.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ruben Stranders